52 #define PARSE_REGEX "^\\s*!?([^\\s,]+)\\s*(,\\s*relative)?\\s*(,\\s*rawbytes\\s*)?\\s*$"
58 static void DetectIsdataatRegisterTests(
void);
100 char *args[3] = {NULL,NULL,NULL};
101 int ret = 0, res = 0;
106 if (ret < 1 || ret > 4) {
107 SCLogError(
"pcre_exec parse error, ret %" PRId32
", string %s", ret, isdataatstr);
113 res = pcre2_substring_get_bynumber(
114 parse_regex.
match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
116 SCLogError(
"pcre2_substring_get_bynumber failed");
119 args[0] = (
char *)str_ptr;
123 res = pcre2_substring_get_bynumber(
124 parse_regex.
match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
126 SCLogError(
"pcre2_substring_get_bynumber failed");
129 args[1] = (
char *)str_ptr;
132 res = pcre2_substring_get_bynumber(
133 parse_regex.
match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
135 SCLogError(
"pcre2_substring_get_bynumber failed");
138 args[2] = (
char *)str_ptr;
148 if (args[0][0] !=
'-' && isalpha((
unsigned char)args[0][0])) {
151 "var name for offset. \"offset\" argument supplied to "
152 "this function has to be non-NULL");
160 strlen(args[0]), args[0]) < 0 ) {
168 if (args[1] !=NULL) {
175 if (isdataatstr[0] ==
'!') {
179 for (i = 0; i < (ret -1); i++) {
181 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
189 for (i = 0; i < (ret -1) && i < 3; i++){
191 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
218 idad = DetectIsdataatParse(
de_ctx, isdataatstr, &
offset);
251 "seen in isdataat - %s\n",
286 if (prev_pm == NULL) {
329 "preceding content option");
344 static int g_dce_stub_data_buffer_id = 0;
350 static int DetectIsdataatTestParse01 (
void)
354 idad = DetectIsdataatParse(NULL,
"30 ", NULL);
367 static int DetectIsdataatTestParse02 (
void)
371 idad = DetectIsdataatParse(NULL,
"30 , relative", NULL);
384 static int DetectIsdataatTestParse03 (
void)
388 idad = DetectIsdataatParse(NULL,
"30,relative, rawbytes ", NULL);
400 static int DetectIsdataatTestParse04(
void)
411 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
421 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
431 static int DetectIsdataatTestParse05(
void)
444 "(msg:\"Testing bytejump_body\"; "
445 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
447 "content:\"one\"; distance:0; "
448 "isdataat:4,relative; sid:1;)");
454 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
458 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_ISDATAAT);
467 "(msg:\"Testing bytejump_body\"; "
468 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
470 "content:\"one\"; distance:0; "
471 "isdataat:4,relative; sid:1;)");
472 if (s->
next == NULL) {
477 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
481 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_ISDATAAT);
490 "(msg:\"Testing bytejump_body\"; "
491 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
493 "content:\"one\"; distance:0; "
494 "isdataat:4,relative,rawbytes; sid:1;)");
495 if (s->
next == NULL) {
500 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
504 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_ISDATAAT);
513 "(msg:\"Testing bytejump_body\"; "
514 "content:\"one\"; isdataat:4,relative,rawbytes; sid:1;)");
515 if (s->
next == NULL) {
520 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
533 static int DetectIsdataatTestParse06(
void)
540 "(msg:\"Testing bytejump_body\"; "
542 "isdataat:!4,relative; sid:1;)");
555 "(msg:\"Testing bytejump_body\"; "
557 "isdataat: !4,relative; sid:2;)");
577 static int DetectIsdataatTestPacket01 (
void)
580 uint8_t *buf = (uint8_t *)
"Hi all!";
581 uint16_t buflen = strlen((
char *)buf);
587 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
591 sigs[0]=
"alert ip any any -> any any (msg:\"Testing window 1\"; isdataat:6; sid:1;)";
592 sigs[1]=
"alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; sid:2;)";
593 sigs[2]=
"alert ip any any -> any any (msg:\"Testing window 3\"; isdataat:8; sid:3;)";
594 sigs[3]=
"alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; sid:4;)";
595 sigs[4]=
"alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; sid:5;)";
597 uint32_t sid[5] = {1, 2, 3, 4, 5};
619 static int DetectIsdataatTestPacket02 (
void)
622 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
623 "User-Agent: Wget/1.11.4"
625 "Host: www.google.com"
626 "Connection: Keep-Alive"
627 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
628 uint16_t buflen = strlen((
char *)buf);
635 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with"
636 " isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
637 "DullBoy/\"; isdataat:96,relative; sid:1;)";
651 static int DetectIsdataatTestPacket03 (
void)
654 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
655 "User-Agent: Wget/1.11.4"
657 "Host: www.google.com"
658 "Connection: Keep-Alive"
659 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
660 uint16_t buflen = strlen((
char *)buf);
667 char sig[] =
"alert tcp any any -> any any (msg:\"byte_jump match = 0 "
668 "with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
669 "46,string,dec; isdataat:87,relative; sid:109; rev:1;)";
681 void DetectIsdataatRegisterTests(
void)
685 UtRegisterTest(
"DetectIsdataatTestParse01", DetectIsdataatTestParse01);
686 UtRegisterTest(
"DetectIsdataatTestParse02", DetectIsdataatTestParse02);
687 UtRegisterTest(
"DetectIsdataatTestParse03", DetectIsdataatTestParse03);
688 UtRegisterTest(
"DetectIsdataatTestParse04", DetectIsdataatTestParse04);
689 UtRegisterTest(
"DetectIsdataatTestParse05", DetectIsdataatTestParse05);
690 UtRegisterTest(
"DetectIsdataatTestParse06", DetectIsdataatTestParse06);
692 UtRegisterTest(
"DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
693 UtRegisterTest(
"DetectIsdataatTestPacket02", DetectIsdataatTestPacket02);
694 UtRegisterTest(
"DetectIsdataatTestPacket03", DetectIsdataatTestPacket03);